Human rights activists and journalists have been the subject of hacking attempts using NSO Group's Pegasus spyware, an investigation claims, with approximately 37 smartphones successfully hacked using the surveillance tool.
NSO Group is known for producing hacking tools, which are used by governments and law enforcement agencies around the world. The company's best-known tool is "Pegasus," spyware that can jailbreak a device like an iPhone, install malware, and allow the exporting of user data.
In an investigation by a group of 17 media organizations, it seems Pegasus is being used to attack critics of governments, rather than just against criminals. A leak, reported by The Guardian, includes a list of more than 50,000 phone numbers thought to have been people of interest for clients of NSO Group since 2016.
However, more than 180 numbers associated with journalists were included in the list, including reporters and executives at major outlets, including the Financial Times, CNN, and the New York Times.
If infected, Pegasus enabled a user to extract practically any data they wanted from the device, as well as to enable cameras and microphones in secret, read encrypted messages, and record phone calls. It was also possible for GPS coordinates to be acquired, allowing for live tracking and logging of where the target had been.
While the list of numbers uncovered by journalism non-profit Hidden Stories and Amnesty International does not guarantee that the devices in question were attacked with the software, it seems a high proportion may have undergone some form of surveillance.
Amnesty's Security Lab discovered traces of Pegasus activity on 37 out of 67 smartphones it examined that were linked to the list. The smartphones were sourced from journalists, human rights activists, and lawyers who appeared on the list.
In some cases, it was found that the time and date the person was added to the list was very close to any recorded activity on the device, sometimes within seconds.
A group of 10 governments are believed to be NSO clients adding numbers into the system, with the list including Azerbaijan, Kazakhstan, Rwanda, and the UAE, among others. Mexico is thought to have contributed the most numbers to the list at over 15,000 lines, with its use by multiple agencies the most likely reason for the high count.
The leaked data also suggests Pegasus was used by Saudi Arabia and the UAE to target smartphones of people close to murdered journalist Jamal Khashoggi for months after his death. A Turkish prosecutor investigating the death was also apparently considered a target for surveillance.
In a statement to The Verge, NSO denied the report's claims, insisting it was "full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources." The company firmly denies the report's claims and is apparently considering a defamation lawsuit as "these allegations are so outrageous and far from reality."
In October 2019, Facebook sued NSO Group over allegations the hacking tool producer used a vulnerability in WhatsApp to send malware to around 1,400 journalists. In April 2020, NSO Group claimed Facebook had previously approached the company in 2017 to potentially buy access to the software, specifically to gather data on Apple devices.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too. If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
12 Comments
I would like to know which versions of iOS / iPhones were affected. Critical: Pegasus could apparently be installed via zero-days, via iMessage-data, via imsi-catchers - and all also without any user interaction.
Standard journalism nonsense here. Regarding the surveillance mentioned, most is normal operation procedure on Android. Google (and Facebook) collect and monetize most of the data mentioned. Why would "Pegasus" even be needed? Other than trolls and anti apple hysterical, it is plain fact that location data, contacts list, messaging metadata among others is factually monetized. A third party app of any variety can also record this data without even breaking ToS or being malware based.
Stupid Apple for not taking this chance to hit that point over and over hard! Instead going with a wimpy "experts say we are safer". That's like a bad TV commercial statement.
The article is short on details except mentioning "through apps" and mentioning the vulnerability found in iMessage. Apple patched that vulnerability. So what other Apps were involved? I'll wager it isn't iOS but again if it is an app doing data tracking outside of the app usage, Apple should know this and pull it. Not naming Apps? That probably means there is a big name behind an app.